In a recent development that has sent shockwaves through the data privacy community, BMW has confirmed a significant data breach affecting approximately 14,000 customers in Hong Kong. The breach, which was first reported to the Office of the Privacy Commissioner for Personal Data on July 18, 2024, has raised serious concerns among the affected individuals and prompted a thorough investigation by local privacy authorities.
According to reports from South China Morning Post, BMW Concessionaires (HK), the exclusive distributor of BMW vehicles in Hong Kong, disclosed that sensitive information belonging to around 14,000 customers had been compromised. This includes names, mobile numbers, and SMS opt-out preferences. The company revealed that the compromised data was managed by a third-party contractor, Sanuker, which promptly alerted both the police and the privacy watchdog about the breach.
The handling of the situation has been met with criticism from cybersecurity expert Michael Gazeley, who is also a BMW iX electric vehicle owner. Gazeley expressed frustration over BMW’s lack of direct communication with the affected customers, noting that the company had only posted a brief notice on its website. He highlighted the severity of the breach, stating that the exposed confidential data could lead to potential fraud and scams based on the customer information.
The Office of the Privacy Commissioner for Personal Data is currently investigating the incident, although no formal complaints or inquiries related to the breach have been received thus far. The agency had advised BMW to promptly inform affected individuals, but public dissatisfaction with the company’s response has been apparent.
This recent data breach adds to a concerning history of cyberattacks and breaches at BMW. In February 2024, a separate security lapse exposed sensitive internal information due to a misconfigured cloud storage server hosted on Microsoft Azure. Security researcher Can Yoleri discovered the exposed data, which included private keys and internal files from BMW’s development environment.
The misconfiguration of the cloud storage bucket made the data publicly accessible, exposing access credentials for BMW’s cloud services in various regions. The full extent and duration of the exposure remain unclear, underscoring the seriousness of the breach.
In a disturbing turn of events, the hacker group known as 888 claimed responsibility for the data leak and made the stolen information publicly available on a notorious hacking forum, BreachForums. The data dump included detailed personal information such as salutations, surnames, first names, mobile numbers, and SMS opt-out preferences of BMW customers in Hong Kong.
In response to these troubling developments, BMW has reiterated its commitment to prioritizing the privacy and security of its customers. The company has vowed to enhance its data security measures to prevent future incidents and strengthen the security of its systems to safeguard customer data from unauthorized access.
As the investigation into the data breach continues, affected individuals and cybersecurity experts are closely monitoring the situation for further updates and security improvements from BMW to prevent similar breaches in the future.